Category filter

How to configure WSUS Specific Settings for Windows devices?

Windows Server Update Services (WSUS) is a tool developed by Microsoft for IT administrators to oversee the distribution of updates released from Microsoft to Windows devices on a network. WSUS enables control over the distribution of Microsoft to Windows devices on a network. The primary purpose of WSUS is to guarantee that all Windows devices are up to date, with security patches, thus ensuring the stability of the production environment. The WSUS server presents wide-range of features that helps manage/distribute Windows Updates through a management console. With Hexnode UEM, the IT admin can configure specific settings related to Windows Server Update Services for the Windows devices to centralize the update management process.


  • This feature is available on Hexnode UEM’s Ultra subscription plan.
  • This policy is applicable only when the organization utilizes WSUS for the distribution of third-party software and patches.

Configure WSUS Specific Settings with Hexnode UEM

  1. Login to your Hexnode UEM portal.
  2. Navigate to the Policies tab.
  3. Click on New Policy to create a new one or click on any policy to edit an existing one. Enter the Policy Name and Description in the provided fields.
  4. Navigate to Windows and select WSUS Specific Settings under Patches & Updates.
  5. Click on Configure.

Update Service URL

Specify the URL of the WSUS server to receive updates from it.

Add alternate Update service URL

Check this option to add an alternate service URL on the network as an internal update service. The Automatic Update client will search this service for updates that apply to the computers on your network.

Alternate Update Service URL

Specify the URL for alternate update service.

Update detection frequency

This setting schedules update checks on Windows within the specified time. Windows adds a random time variance of 0 to 4 hours to the specified time limit. For example, if the update detection is set for every 16 hours, the check for available updates might occur between 16 to 20 hours. If disabled or not configured, Windows will check for the updates at the default interval time of 22 hours.

Third-party signed updates

If set to Allowed, it configures Automatic Updates to accept updates signed by entities other than Microsoft, when the update is found on an intranet Microsoft update service location. The updates will be accepted only if they’re signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.

Settings Description
Allowed This option is selected by default to allow updates signed by entities other than Microsoft.
Not Allowed This setting prevents Automatic Updates from accepting updates signed by entities other than Microsoft.

Allow online Microsoft Update services

Determine whether the device should be allowed to use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Enabling this option can cause disruptions in connection to public services such as the Microsoft Store.

Fill empty content URLs

Check this option to allow the Windows Update Agent to automatically determine the download URLs from the alternate source when the files are missing from the update metadata.

Dual Scan

Configure whether the Windows Update client is permitted to initiate automatic scans against Windows Updates when update deferral policies are enabled.


If this option is not configured, Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled.

Settings Description
Allow scan against Windows Update Select this option to allow the Windows Update client to initiate a scan directly against the Windows Update.
Don’t allow update deferral policies to cause scans against Windows Update Select this option to prevent update deferral policies from automatically initiating scans against Windows Update.

Proxy behavior for update detection

By default, HTTP WSUS servers require system proxy configuration for scanning. If the system proxy fails, it utilizes the user proxy as a fallback for detecting updates.

Settings Description
Allow system proxy only for HTTP scans Selecting this option will allow the use of a system proxy for HTTP scans.
Allow user proxy to be used as a fallback if detection using system proxy fails Selecting this option enables the user proxy to serve as a backup in case the system proxy detection fails.

Do not enforce Enterprise TLS certificate pinning

Check this option to enforce certificate pinning when scanning the WSUS server for updates.

Configure update sources

Tick this option to choose whether to receive Windows Updates from the Windows Update endpoint, managed by Windows Update for Business policies, or from the configured Windows Server Update Service (WSUS) server.

The following options will be enabled if “Configure update sources” or “Add alternate Update service URL” is checked.

Settings Description
Driver Updates Driver updates refer to the process of updating or replacing the existing software that controls a particular hardware component in a device.
Quality Updates Quality Updates are security updates, incorporating fixes that patch security vulnerabilities and enhance the overall stability of the operating system.
Feature Updates Feature Updates include new features, visual enhancements, and new versions of the operating system.
Other Updates Other Updates in a particular category can consist of updates based on the software or system. It may involve updates, for applications firmware updates, hardware devices, or any other miscellaneous updates that are not classified as driver, quality, or feature updates.

For the above settings, there are two options to choose from, either Use Windows Updates to receive updates from the Windows Update endpoint, managed by Windows Update for Business policies, or Use WSUS to receive updates from the configured WSUS server.

Apply the WSUS Specific Settings policy with target Windows devices

There are two ways to associate the policy with the devices in bulk.

If the policy hasn’t saved yet,

  1. Navigate to Policy Targets.
  2. Click on + Add Devices, search and select the required device(s) to which you need to apply the policy. Click OK.
  3. Click on Save to apply the policies to the devices.

  • To associate the policies with a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions.
  • Similarly, you can associate the policy with Users, User Groups, or Domains from the same pane.

If the policy has been saved,

  1. From Policies, choose the policy.
  2. Click on the Manage drop-down, select Associate Targets and choose the target devices.
  3. Click Associate.
  • Managing Windows Devices